Threat Description

November_17th

Details

Aliases:November_17th, Int83, BigMouse, November, 800
Category: Malware
Type:Virus
Platform: W32

Summary



The November_17th virus family has several members:


Variant:November_17th.584

Size:584

This virus seems to one of the earliest versions of November 17 as it only infects COM files. The virus will attempt to infect all COM programs that are executed with the following exceptions:

o File is smaller than 16 bytes or larger than 63,488 bytes.

Every Wednesday between 1PM and 5PM, the virus will attempt to erase the CMOS (if present). Every time a key is pressed, a series of descending notes will be produced by the speaker.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:November_17th.690

Size:690

This variant attempts to infect any COM or EXE which is executed with the following exceptions:

o COM files bigger than 61,440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical

 length (e.g. Programs with internal overlays)

o EXE programs which allocate less than 10 paragraphs (Bait programs).

On the 8th of July, the virus will attempt to overwrite the first 8 sectors of the current drive. Network drives are not affected. Due to an error in the virus the computer may crash after the payload has benn activated.


Variant:November_17th.706

Size:706

This virus will attempt to infect all COM and EXE programs that are executed with the following exceptions:

o COM files bigger than 61440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical

 length (e.g. Programs with internal overlays)

o EXE programs that allocate less than 10 paragraphs of memory (e.g. Bait

 programs)

On the first of any month the first will attempt to overwrite the first 11 sectors of the current drive. Due to an error in the virus code, the only drives to be affected are A:, B: and drives E: to Z:. Network drives will not be affected.


Variant:November_17th.768

Size:768

This variant will attempt to infect all COM and EXE files that are executed with the following exceptions:

o McAfee's SCAN and CLEAN programs o Any COM file bigger than 60,000 bytes o EXE programs that allocate less than 20 paragraphs of memory (Bait

 programs)

If the current date is between the 17th and 30th of November the virus overwites the first 8 sectors of the current drive, making the disk unbootable.


Variant:November_17th.800.A

Size:800

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o System files are not infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial

 length (Programs with internal overlays)

o EXE programs which allocate less than 20 paragraphs of memory (Bait

 programs)

The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November. Network drives will not be affected.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXE


Variant:November_17th.855.A

Size:855

This particular variant of November 17 is probably one of the most common viruses in Italy.

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial

 length (Programs with internal overlays)

o EXE programs which allocate less than 20 paragraphs of memory (Bait

 programs)

The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November after 500 keypresses. Network drives will not be affected.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXE


Variant:November_17th.880

Size:880

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial

 length (Programs with internal overlays)

o EXE programs which allocate less than 30 paragraphs of memory (Bait

 programs)

The virus will overwrite the first 4 sectors of the current drive on any day between the 17th and 31st of October after 100 keypresses. Network drives will not be affected.

Certain instructions have been reordered in this virus probably to prevent detection by existing signatures for other November 17 variants.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXEAMZ





Technical Details: Jeremy Gumbley, Symbolic, Italy


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More